95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
Size

9.6MB
MD5

0fbda8da6711ba80824bd22a21ff396c
SHA1

617d0e570156e62cb3822f8da5e6b6c394dcd3ac
SHA256

95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e
SHA512

253cbd485c4478cd32d27d969b3653b51a05fd3239a09ead55d6b07f56796469becffb3bc7d2412aaab529cb1c47e5fc96a89ba9d688a7b9004c9ab21692b148
SSDEEP

196608:lphjlGclOtv7UwNCCx86srDo7rP4x8fueE7xv3B0v9aOUmnGhmz:Bj/wtTUup86sHg3fMvB0vghmGhU

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2640	AdbeArCleaner.exe
2856	AdbeArCleaner_v2.exe
1432	AdobeAcroCleaner_DC2015.exe
1144	AdobeAcroCleaner_DC2021.exe
2704	AdobeCreativeCloudCleanerTool.exe
2460	ACToolMain.exe
828	ACToolMain.exe

Loads dropped DLL 25 IoCs

pid	Process
1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
2704	AdobeCreativeCloudCleanerTool.exe
828	ACToolMain.exe
828	ACToolMain.exe
828	ACToolMain.exe
828	ACToolMain.exe
828	ACToolMain.exe
828	ACToolMain.exe
828	ACToolMain.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	AdbeArCleaner.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\acaptuser64.dll	AdbeArCleaner_v2.exe
File opened for modification	C:\Windows\SysWOW64\acaptuser32.dll	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Windows\SysWOW64\acaptuser64.dll	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Windows\SysWOW64\acaptuser32.dll	AdbeArCleaner.exe
File opened for modification	C:\Windows\SysWOW64\AdobePDFUI.dll	AdbeArCleaner_v2.exe
File opened for modification	C:\Windows\SysWOW64\acaptuser32.dll	AdbeArCleaner_v2.exe
File opened for modification	C:\Windows\SysWOW64\AdobePdf.dll	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Windows\SysWOW64\AdobePdf.dll	AdbeArCleaner_v2.exe
File opened for modification	C:\Windows\SysWOW64\AdobePDFUI.dll	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Windows\system32\AdobePdf.dll	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Windows\system32\acaptuser64.dll	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Windows\SysWOW64\AdobePdf.dll	AdbeArCleaner.exe
File opened for modification	C:\Windows\SysWOW64\AdobePDFUI.dll	AdbeArCleaner.exe
File opened for modification	C:\Windows\SysWOW64\acaptuser32.dll	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Windows\SysWOW64\acaptuser64.dll	AdbeArCleaner.exe
File opened for modification	C:\Windows\system32\AdobePDFUI.dll	AdobeAcroCleaner_DC2021.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 9.0\Vigtigt.htm	AdbeArCleaner.exe
File opened for modification	C:\Program Files\Common Files\Adobe\HelpCfg\fr_FR\Acrobat_DC.helpcfg	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Help\bg_BG\Acrobat Pro 3D\9.0	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Help\eu_ES\3DReviewer\9.0	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.CZE	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.ITA	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\da_dk\acrobat\X\standard\using\helpmap.txt	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\sv_SE\Acrobat_10.0_Standard.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.PTB	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files\Common Files\Adobe\HelpCfg\it_IT\Acrobat_DC.helpcfg	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files\Common Files\Adobe\HelpCfg\uk_UA\Acrobat_DC.helpcfg	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\zh_TW\Acrobat_10.0_Professional.helpcfg	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.BGR	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\fi_FI\Acrobat Pro\9.0	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\ro_RO\Acrobat Pro\9.0	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files\Common Files\Adobe\HelpCfg\sv_SE\Acrobat_DC.helpcfg	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\sl_SI\Acrobat Pro\9.0	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.HRV	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 9.0\PDFMaker	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\uk_ua\acrobat\X\standard\using\helpmap.txt	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 10.0\LeiaMe.htm	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\es_ES\Acrobat_Pro.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 11.0\FormsCentral	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 9.0\ReadMeETI.htm	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.NOR	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.SLV	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\lv_LV\3DReviewer\9.0	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 9.0\ReadMeRUS.htm	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\ca_ES\Acrobat Pro\9.0	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files\Adobe\Acrobat [RegistryHiveName]\FormsCentral	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\fr_FR\Acrobat_10.0_Standard.helpcfg	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\ko_kr\acrobat\X\pro\using\helpmap.txt	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 10.0\Léame.htm	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.ITA	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.BGR	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\zh_TW\Acrobat Pro 3D\9.0	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Help\tr_TR\3DReviewer\9.0	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\pdfshell.NOR	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\fr_FR\Acrobat_10.0_Professional.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\sk_SK\Acrobat Pro 3D\9.0	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files\Adobe\Acrobat [RegistryHiveName]\ReadMeCS.htm	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\pdfshell.SVE	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\cs_cz\acrobat\X\standard\using\helpmap.txt	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\fr_FR\Acrobat_Pro.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 11.0\Viktig.htm	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 11.0\Resource	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\sv_SE\Acrobat Pro\9.0	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\zh_TW\Acrobat Pro\9.0	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files\Common Files\Adobe\HelpCfg\ja_JP\Acrobat_DC.helpcfg	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Help\it_IT\Acrobat Pro 3D\9.0	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\ro_ro\acrobat\X\standard\using\helpmap.txt	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\pt_BR\Acrobat_Pro.helpcfg	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\eu_ES\Acrobat Pro\9.0	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_us\Acrobat Pro 3D\9.0	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\ca_ES\Acrobat Pro\9.0	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 10.0\Lisezmoi.htm	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\fr_FR\Acrobat_DC.helpcfg	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\it_IT\3DReviewer\9.0	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\zh_tw\acrobat\X\standard\using\helpmap.txt	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\uk_UA\3DReviewer\9.0	AdbeArCleaner.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\ru_ru\acrobat\X\pro\using\helpmap.txt	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files\Common Files\Adobe\HelpCfg\cs_CZ\Acrobat_DC.helpcfg	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.MEA	AdobeAcroCleaner_DC2021.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\ZWAdobeF.TTF	AdbeArCleaner_v2.exe
File opened for modification	C:\Windows\Fonts\ZWAdobeF.TTF	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Windows\Fonts\ZWAdobeF.TTF	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Windows\Fonts\ZWAdobeF.TTF	AdbeArCleaner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdbeArCleaner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeCreativeCloudCleanerTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ACToolMain.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdbeArCleaner_v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeAcroCleaner_DC2015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ACToolMain.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\Implemented Categories	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A894040-247E-4AFF-BB08-3489E9905235}	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\DataFormats\GetSet\7	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2991F100-D9C3-4243-82A2-A718747FC0CF}\1.0	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7CD06992-50AA-11D1-B8F0-00A0C9259304}\1.0\FLAGS	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroPDF.PDF\CLSID	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BB2200E-5672-4A32-902A-5A98DB1C58DC}	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05BFD3F1-6319-4F30-B752-C7A22889BCC4}	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{673E8452-7646-11D1-B90B-00A0C9259304}\ProxyStubClsid32	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\VersionIndependentProgID	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\TypeLib	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B4CD3EB-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroIEHelperShim.AcroIEHelperShimObj\CLSID	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.adobe.rmf	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroPDF.PDF.1	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XFDFDoc\shell\Read\command	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.7\protocol\StdFileEditing\SetDataFormats	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625}\ProxyStubClsid	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{673E8454-7646-11D1-B90B-00A0C9259304}\ProxyStubClsid	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroPDF.FDF.1\CLSID	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFShell.PDFShell	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFShellServer.PDFShellInfo2.1\CLSID	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.7\shell\Open\command	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XDPDoc\shell\Open	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41C5FFFE-36DD-415D-9ED0-2976A342A1C8}\1.0\0\win32	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00FFD6C4-1A94-44BC-AD3E-8AC18552E3E6}\{B4848E37-7C66-40A6-9F66-D3A9BC8F4636}\TypeLib	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B4CD3EE-4981-101B-9CA8-9240CE2738AE}	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B4CD3E6-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid32	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings\CLSID	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41738EEA-442F-477F-92CF-2889BD6CD7E7}\1.0\FLAGS	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.fdf	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\PersistentHandler	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7CD06992-50AA-11D1-B8F0-00A0C9259304}	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmf	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.FDFDoc\DefaultIcon	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.secstore\AcroExch.SecStore\ShellNew	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\Verb	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.xfdf\AcroExch.XFDFDoc	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{789AD2D7-E1C2-4EC7-A049-2DB5BB4CB57A}\1.0\0\win32	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\Programmable	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.7\shell\Print	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml.1\shell\Printto\command	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}\1.0	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.FDFDoc\shell\Printto\command	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.7\protocol\StdFileEditing	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\InprocServer32	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}\TypeLib	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{633D6DA1-70AB-49A5-9539-54E90F132763}\Programmable	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PDFShellServer.PDFShellInfo\CurVer	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{03C2AEA5-BEFA-4C84-A187-C9245AC784F6}	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\AuxUserType\2	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD069A1-50AA-11D1-B8F0-00A0C9259304}\ProgID	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B4CD3EC-4981-101B-9CA8-9240CE2738AE}	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroPDF.FDF\CurVer	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{67E94227-7662-4050-9C72-746983CF37A2}\1.0\0	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E790E1D1-9DE8-4853-8AC6-933D4FD9C927}\ProxyStubClsid	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{36DE898D-AD48-40A5-B4B2-123F916BFBAB}\ProxyStubClsid32	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\Programmable	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\ProxyStubClsid	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2991F100-D9C3-4243-82A2-A718747FC0CF}\1.0\0\win32	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroBroker.Broker\CurVer	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings.1\shell\Print\command	AdbeArCleaner.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.pdfxml.1\shell\Open\command	AdbeArCleaner.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Adobe\Acrobat [RegistryHiveName]\Acrobat:Acro_R	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files\Adobe\Acrobat [RegistryHiveName]\Acrobat:Acro_E	AdobeAcroCleaner_DC2021.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat:Acro_R	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat:Acro_E	AdbeArCleaner_v2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat [RegistryHiveName]\Acrobat:Acro_R	AdobeAcroCleaner_DC2015.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat [RegistryHiveName]\Acrobat:Acro_E	AdobeAcroCleaner_DC2015.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2640	AdbeArCleaner.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
2856	AdbeArCleaner_v2.exe
1432	AdobeAcroCleaner_DC2015.exe
1432	AdobeAcroCleaner_DC2015.exe
1432	AdobeAcroCleaner_DC2015.exe
1432	AdobeAcroCleaner_DC2015.exe
1432	AdobeAcroCleaner_DC2015.exe
1432	AdobeAcroCleaner_DC2015.exe
1432	AdobeAcroCleaner_DC2015.exe
1432	AdobeAcroCleaner_DC2015.exe
1432	AdobeAcroCleaner_DC2015.exe
1432	AdobeAcroCleaner_DC2015.exe
1432	AdobeAcroCleaner_DC2015.exe
1432	AdobeAcroCleaner_DC2015.exe
1432	AdobeAcroCleaner_DC2015.exe
1432	AdobeAcroCleaner_DC2015.exe
1432	AdobeAcroCleaner_DC2015.exe
1432	AdobeAcroCleaner_DC2015.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2724	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2724	msiexec.exe
Token: SeRestorePrivilege	2848	msiexec.exe
Token: SeTakeOwnershipPrivilege	2848	msiexec.exe
Token: SeSecurityPrivilege	2848	msiexec.exe
Token: SeCreateTokenPrivilege	2724	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2724	msiexec.exe
Token: SeLockMemoryPrivilege	2724	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2724	msiexec.exe
Token: SeMachineAccountPrivilege	2724	msiexec.exe
Token: SeTcbPrivilege	2724	msiexec.exe
Token: SeSecurityPrivilege	2724	msiexec.exe
Token: SeTakeOwnershipPrivilege	2724	msiexec.exe
Token: SeLoadDriverPrivilege	2724	msiexec.exe
Token: SeSystemProfilePrivilege	2724	msiexec.exe
Token: SeSystemtimePrivilege	2724	msiexec.exe
Token: SeProfSingleProcessPrivilege	2724	msiexec.exe
Token: SeIncBasePriorityPrivilege	2724	msiexec.exe
Token: SeCreatePagefilePrivilege	2724	msiexec.exe
Token: SeCreatePermanentPrivilege	2724	msiexec.exe
Token: SeBackupPrivilege	2724	msiexec.exe
Token: SeRestorePrivilege	2724	msiexec.exe
Token: SeShutdownPrivilege	2724	msiexec.exe
Token: SeDebugPrivilege	2724	msiexec.exe
Token: SeAuditPrivilege	2724	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2724	msiexec.exe
Token: SeChangeNotifyPrivilege	2724	msiexec.exe
Token: SeRemoteShutdownPrivilege	2724	msiexec.exe
Token: SeUndockPrivilege	2724	msiexec.exe
Token: SeSyncAgentPrivilege	2724	msiexec.exe
Token: SeEnableDelegationPrivilege	2724	msiexec.exe
Token: SeManageVolumePrivilege	2724	msiexec.exe
Token: SeImpersonatePrivilege	2724	msiexec.exe
Token: SeCreateGlobalPrivilege	2724	msiexec.exe
Token: SeShutdownPrivilege	2740	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2740	msiexec.exe
Token: SeCreateTokenPrivilege	2740	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2740	msiexec.exe
Token: SeLockMemoryPrivilege	2740	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2740	msiexec.exe
Token: SeMachineAccountPrivilege	2740	msiexec.exe
Token: SeTcbPrivilege	2740	msiexec.exe
Token: SeSecurityPrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeLoadDriverPrivilege	2740	msiexec.exe
Token: SeSystemProfilePrivilege	2740	msiexec.exe
Token: SeSystemtimePrivilege	2740	msiexec.exe
Token: SeProfSingleProcessPrivilege	2740	msiexec.exe
Token: SeIncBasePriorityPrivilege	2740	msiexec.exe
Token: SeCreatePagefilePrivilege	2740	msiexec.exe
Token: SeCreatePermanentPrivilege	2740	msiexec.exe
Token: SeBackupPrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeShutdownPrivilege	2740	msiexec.exe
Token: SeDebugPrivilege	2740	msiexec.exe
Token: SeAuditPrivilege	2740	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2740	msiexec.exe
Token: SeChangeNotifyPrivilege	2740	msiexec.exe
Token: SeRemoteShutdownPrivilege	2740	msiexec.exe
Token: SeUndockPrivilege	2740	msiexec.exe
Token: SeSyncAgentPrivilege	2740	msiexec.exe
Token: SeEnableDelegationPrivilege	2740	msiexec.exe
Token: SeManageVolumePrivilege	2740	msiexec.exe
Token: SeImpersonatePrivilege	2740	msiexec.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2724	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	30
PID 1940 wrote to memory of 2724	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	30
PID 1940 wrote to memory of 2724	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	30
PID 1940 wrote to memory of 2724	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	30
PID 1940 wrote to memory of 2724	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	30
PID 1940 wrote to memory of 2724	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	30
PID 1940 wrote to memory of 2724	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	30
PID 1940 wrote to memory of 2740	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	32
PID 1940 wrote to memory of 2740	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	32
PID 1940 wrote to memory of 2740	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	32
PID 1940 wrote to memory of 2740	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	32
PID 1940 wrote to memory of 2740	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	32
PID 1940 wrote to memory of 2740	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	32
PID 1940 wrote to memory of 2740	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	32
PID 1940 wrote to memory of 2896	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	33
PID 1940 wrote to memory of 2896	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	33
PID 1940 wrote to memory of 2896	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	33
PID 1940 wrote to memory of 2896	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	33
PID 1940 wrote to memory of 2896	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	33
PID 1940 wrote to memory of 2896	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	33
PID 1940 wrote to memory of 2896	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	33
PID 1940 wrote to memory of 2640	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	34
PID 1940 wrote to memory of 2640	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	34
PID 1940 wrote to memory of 2640	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	34
PID 1940 wrote to memory of 2640	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	34
PID 1940 wrote to memory of 2856	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	35
PID 1940 wrote to memory of 2856	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	35
PID 1940 wrote to memory of 2856	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	35
PID 1940 wrote to memory of 2856	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	35
PID 1940 wrote to memory of 1432	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	36
PID 1940 wrote to memory of 1432	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	36
PID 1940 wrote to memory of 1432	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	36
PID 1940 wrote to memory of 1432	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	36
PID 1940 wrote to memory of 1144	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	37
PID 1940 wrote to memory of 1144	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	37
PID 1940 wrote to memory of 1144	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	37
PID 1940 wrote to memory of 1144	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	37
PID 1940 wrote to memory of 2704	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	38
PID 1940 wrote to memory of 2704	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	38
PID 1940 wrote to memory of 2704	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	38
PID 1940 wrote to memory of 2704	1940	95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe	38
PID 2704 wrote to memory of 2460	2704	AdobeCreativeCloudCleanerTool.exe	40
PID 2704 wrote to memory of 2460	2704	AdobeCreativeCloudCleanerTool.exe	40
PID 2704 wrote to memory of 2460	2704	AdobeCreativeCloudCleanerTool.exe	40
PID 2704 wrote to memory of 2460	2704	AdobeCreativeCloudCleanerTool.exe	40
PID 2460 wrote to memory of 828	2460	ACToolMain.exe	41
PID 2460 wrote to memory of 828	2460	ACToolMain.exe	41
PID 2460 wrote to memory of 828	2460	ACToolMain.exe	41
PID 2460 wrote to memory of 828	2460	ACToolMain.exe	41

C:\Users\Admin\AppData\Local\Temp\95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe
"C:\Users\Admin\AppData\Local\Temp\95951f62baa0f74c5887fb285e54924847d6a8a99d4ae825d5585fa82a26106e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /X {AC76BA86-1033-FFFF-7760-BC15014EA700} /qn /norestart
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /X {AC76BA86-1033-FFFF-7760-0C0F074E4100} /qn /norestart
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /X {AC76BA86-1033-FFFF-7760-000000000006} /qn /norestart
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdbeArCleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdbeArCleaner.exe" /silent /product=0 /cleanlevel=1 /scanforothers=1
  2⤵
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdbeArCleaner_v2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdbeArCleaner_v2.exe" /silent /product=0 /cleanlevel=1 /scanforothers=1
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeAcroCleaner_DC2015.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeAcroCleaner_DC2015.exe" /silent /product=0 /cleanlevel=1 /scanforothers=1
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1432
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeAcroCleaner_DC2021.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeAcroCleaner_DC2021.exe" /silent /product=0 /cleanlevel=1 /scanforothers=1
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - NTFS ADS
  PID:1144
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeCreativeCloudCleanerTool.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeCreativeCloudCleanerTool.exe" sudo /Applications/Adobe Acrobat DC/Adobe Acrobat.app/Contents/Helpers/Acrobat Uninstaller.app/Contents/Library/LaunchServices/com.adobe.Acrobat.RemoverTool Uninstall /Applications/Adobe Acrobat DC/Adobe Acrobat.app --eulaAccepted=1 --removeAll=ALL
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe
    "C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe" sudo /Applications/Adobe Acrobat DC/Adobe Acrobat.app/Contents/Helpers/Acrobat Uninstaller.app/Contents/Library/LaunchServices/com.adobe.Acrobat.RemoverTool Uninstall /Applications/Adobe Acrobat DC/Adobe Acrobat.app --eulaAccepted=1 --removeAll=ALL
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe
      "C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe" sudo /Applications/Adobe Acrobat DC/Adobe Acrobat.app/Contents/Helpers/Acrobat Uninstaller.app/Contents/Library/LaunchServices/com.adobe.Acrobat.RemoverTool Uninstall /Applications/Adobe Acrobat DC/Adobe Acrobat.app --eulaAccepted=1 --removeAll=ALL
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:828

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\en_US.txt

Filesize
2KB

MD5
30cd177a4424d4229d8a1fb25a6b1e28

SHA1
b888b1d16bde18d24cb23c8b6b19ff59843c5001

SHA256
388ec8c0e2524f39c04bd9eefcb8a9f54be1b84a7f48c6cdcac26ef4fcb476b8

SHA512
749833e12a2d32b8c56275f41b68c0a867ac42064045fb0cec9ff47b0994657e42e90859d0495f1bfe25c34674c5adfbef0af4df0c62ec28dde6226de5736b36

Download Submit
C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ja_JP.txt

Filesize
3KB

MD5
5e05dc88dd24e414541c8dd0f895abc8

SHA1
27e139e6f31eae79a51530e99720248dc39314e7

SHA256
09735466b479511f776d332150cd90d444d9d4c6572220ea02d24425a053be5f

SHA512
46ed0efdc64692d8bbb7d171e6d9c5cc460f17affdbff29f4171cb3d1ab8de56dc41c34c9f3252f5bcefedcd0200a1199494fdc7f02491dec068ea46f2bf6250

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaftLogs\AdbeArCleaner.log

Filesize
84KB

MD5
81de098afa841af1f20ca7c426b5f07f

SHA1
b5dc24efbe3132ba76e714607c1b96f96f2ecf5f

SHA256
2eb788eb60e4e688077c1b22d765297459ea6c656ca7b7b7a9b78330868d9dc9

SHA512
f5e87a7bfd0d8e465ba6536cc39d1b73c3496dd4a6bbf23b692a9664c3cc5fd2d4ee4f5e921eb7cb00c5f70b0ee6fbe3c70653e7897dd5a6887410a1f332ca50

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaftLogs\AdbeArCleaner.log

Filesize
443KB

MD5
ab53f48fabf5f463c41a497f014341ad

SHA1
f5e32c10ff0020ba758d8e2abe47101686e2156b

SHA256
2cd716c47c57aaa0dc8f0c5ad568a23564a21ea76ed48e1e612650c156cc6bff

SHA512
50379ecb797351106c8624178006bb1f18f4dd1714a4d0c7d095b947f2d0aa0d150779a4a0693ddf1b92664e378acde5c9eaa3dcf7e4ec154d8d01a3c4839f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaftTempFiles\Acrobat12MergeRegistries.xml

Filesize
237B

MD5
2d20ff8a511675ee6c565c967373ec05

SHA1
732a9a4df7eb675b707a04e6d3ec6aa6fdb3f765

SHA256
db977007fe5e9dffd8475feccbe17e3034db063c20f1ac88c26619d0efc92f3d

SHA512
5ce4dc7c76797cbac2a248eab1e9e6aa4286e2ac37b09da1daf8539da2d6a8ea4133953d8dcb3634108a3d721c2d067d8c1876afdc11ad3fd93bf39ea2f282eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaftTempFiles\UserFiles.xml

Filesize
9KB

MD5
6128efda5177131423fbc779e7527462

SHA1
90502a3ba004a0e0fd5d34d41c4b6d49ec4a0938

SHA256
9b183d89a467de99c038fde1e93b92f2b93ca2a228acb0c8b965ec787859725e

SHA512
72ba36c77b35d2e2d92287d1f36b09075e7df0e5d7d5f7c9b0b7bd891f6db972b8154520a94611558946a4bcf8f6ed15436461f9626fce2e8788dac79231cfc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaftTempFiles\UserRegistries.xml

Filesize
10KB

MD5
3f4fc94063b4e5c1ce90eae4031449fb

SHA1
13a4397f903484bfc18503124a239b4adb257f82

SHA256
075ab4a8eb16a8d1dedd7e3ad7871442b9ffe33a20dd59b7ce7e4366584e14e7

SHA512
4759e5ffe54f91c28915702a4b68398c55b949cf7d7f0208f43411a8fef60b97100c7a714c47d003b810cfdafac84a788e0e77fecd083e933a20aa86cceaa072

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\ACToolMain.exe.manifest

Filesize
499B

MD5
001ce64d40f5d96cfaed8c3fbca126dd

SHA1
f14664edf8b5d80b12608c36fd8568d59a4ccaa7

SHA256
6351b663c952000efabe581f2c10db0505b2bd973f35f90344a27e1763d3be39

SHA512
176a3c12d27d763486127efa9c8fdbc1c646f7cd52593fb71090c1a5f28bc353311de59a6f5896cf5c254dcf5de193548055ad347fe748e74c034b5eaf917655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\pythoncom25.dll

Filesize
332KB

MD5
57e1d877a4590ab0cfd08f045196136d

SHA1
9576fb239666c9e44e08bb5605474a46aa42afa8

SHA256
ef537876ffeb4ce20b5dd7a18f444fdcca49562927ad27fe2b63ac0557c35bc1

SHA512
ede517807efb7d286c776e6525aa33bde37af967b4304097a8da456a99faad6f52ccc165fa4e7b0346932dc485f1a8874403814b87b27a593c9c7a8be580e0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\win32api.pyd

Filesize
104KB

MD5
6963b77ba2242514663ae52901a4fe11

SHA1
8086f59c4a7b2174fb7501923f22937e3ecf8215

SHA256
ffa18d3d344c133904854f81a999aee7a7cac4784201aba07ef4f3e1b6fef6d5

SHA512
6261adad18fd4bc2e5e160a737dfef1da99b563743ac353df77b2fe56267270b6ed00be073bdf6b4aae0ad44abd4f8d9c44cd4c43b6b6a14cd9b664e9ff1f75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24602\win32file.pyd

Filesize
112KB

MD5
7a413cbb37b41d21712ccdba93e88d3d

SHA1
7a77b6dde51ed56b1647609e7f9b0fcc245e597f

SHA256
c6f524cb79c109f16c4495a44879845e74af12573bad3d3456ef0b98bd8abbd3

SHA512
40fa7ed0cc358454e0007488c95f328c6ddfd012e9d59575f59ea8a2ba69dc5a60d5f389b8f50e9f7e562103a187d0dce2f8cdf305b74b10ed040ee3ed7e51f8

Download Submit
\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe

Filesize
6.5MB

MD5
f40111f2ec18859799264e204ef97dae

SHA1
f18a56eabd4ca0bf1ddebc546a0bcce8e34a9783

SHA256
7f413b98b6295508d19f4b9b5c1842104b3ae1938898422fbc6855e7cd042fd5

SHA512
85332357d6a19fc57106a4208d1c9d37f25688953698c70dd4d3bb498e3a0841f986f9ea386b4c9b19be143a02b1709a98059d0e17a3de2bdf05f306a9e24ea3

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\AdbeArCleaner.exe

Filesize
2.0MB

MD5
47fb9f02f83dc4797b2989424ec3cc95

SHA1
09fe7d3777833add1153d8f54d3a453a3bae4524

SHA256
ecf73394229a4f060e31c422b2e730efec2d49200bf0ff60d220cb6202e0cf17

SHA512
2c3530e97d1b45ce65989bbe05780b9fd780dc066362d26a69218a34f393e145624514630dbfb119d7a34478edd3e0edb0b0b1a13d4143cb4d1b1fedf4bf92ce

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\AdbeArCleaner_v2.exe

Filesize
2.2MB

MD5
1d59933af6493bb3327f939dc89f0145

SHA1
7223f76424e2a5afab37fd068dbe98ff2690e8e2

SHA256
f134cdafd92d95428e8b5795851621e493936def21c2c1e6bb084c8630d826f4

SHA512
db85477008c1eae4ae6ce0ff9d6d0ff02cc40b595190dff0f9622109b47f0a07075848143d649e0a020354bc3dda4f60c89f6b763d4faa986a2e8a107cfd54a5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeAcroCleaner_DC2015.exe

Filesize
2.1MB

MD5
3a7912e4ed0053166b5955377094b1b5

SHA1
95e1746b53edb3fca3db0f1de01f6a215730304b

SHA256
a6a07aa438d8eacdc7d1502168d02b7d49bfeab6792c0c4363acbe0bcd7216ee

SHA512
2e0a6bef9950bb556589360dcfd75344d03fba7528cd8a0ad55c3272de6885a0d3e9232e357b7506cf2a8d2567f1fccf83d6e75e2bf31f2c288a14ef3a261163

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeAcroCleaner_DC2021.exe

Filesize
2.7MB

MD5
8690f654b1f942ba8d534136f5f01f8a

SHA1
ad712610550f794d8e57d037ab6eccd9f1cd4f3b

SHA256
af48d67ac8f753ee0a9784e0fe17e4c0419849ceb3a80a3e4533fd9aa2d0aa78

SHA512
45d3a5ff276538ad3d83f6f5cc40c189d8e229c47e21e8c06c4d29d66bae86f175ad98bf32dc09c96c8e44d1ae32e284ddc1ac42f3f9a188054844dd08427757

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\AdobeCreativeCloudCleanerTool.exe

Filesize
8.1MB

MD5
e5da70938aeb54b3b14abf9e65c29d04

SHA1
3284e1c5103c92c85946957c9501efff0660e60d

SHA256
3323012c634fdcd01e318febc533086b4e8c953326e9a97f645d3d954413f747

SHA512
947baa097936754f633af830a1623db53e24accce6b1d2c37ec99275a9625adcf189a2fe0adf255fa3282bb2a18fa0c301c5310074085087329999f33006093f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24602\MSVCR71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24602\PyWinTypes25.dll

Filesize
120KB

MD5
512d382120cee043f588adb419e74a9a

SHA1
03a945e6fa92656cde8c51f3d3f12c72c0b534c8

SHA256
ce0ab6842646ad2312e50f6af16fe409710a4f4caf90e8d77bc041a6ae1d80a6

SHA512
d6a27f2e4c740d37094af61001f155964d34b69a4994b84a7210583016ba92a7458c9fb28ed57365afb6a25542c4351a47bca6ea8a2310b5760bb0a2d513b2cb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24602\_ctypes.pyd

Filesize
80KB

MD5
019603557a38c54685fa9701347f61d5

SHA1
2742f8d4f4389735c673da86ca996d11b8765910

SHA256
14947d2369718a54aea0a39d9d1fbf34be96eb1f61be75d9330620cf2e821ed2

SHA512
ea3e4c05dd3ef4f002ac7dd8fc8330a3fa4ae7bd7a0e997147eecdba38efe528a0a4d09d2665537c3cce570d56a04ae447fc4be7f6818f1b968de110e4fa7a3d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24602\python25.dll

Filesize
2.0MB

MD5
d944becdd81caf160e6b2b3604291807

SHA1
656a376eb618cabe3bd255042ab2f2af7dc40985

SHA256
109e0a699a455f819b296cf17bfa89a55c92be9b61978b49a3c9b21c7595e5bc

SHA512
520b413671ef6997431fab54e7b7151674c484517f6879183d45a26d5f85f6beab2708925e4000bef15308845ef4c8e16e163bf1abf16cfdd475c311cde7776f

Download Submit
memory/828-242-0x0000000000340000-0x0000000000399000-memory.dmp

Filesize
356KB

Download
memory/1940-67-0x0000000004040000-0x00000000042D5000-memory.dmp

Filesize
2.6MB

Download
memory/1940-69-0x0000000004040000-0x00000000042D5000-memory.dmp

Filesize
2.6MB

Download
memory/1940-24-0x0000000004040000-0x0000000004295000-memory.dmp

Filesize
2.3MB

Download
memory/1940-65-0x0000000004040000-0x00000000042D5000-memory.dmp

Filesize
2.6MB

Download
memory/1940-23-0x0000000004040000-0x0000000004295000-memory.dmp

Filesize
2.3MB

Download
memory/1940-66-0x0000000004040000-0x00000000042D5000-memory.dmp

Filesize
2.6MB

Download
memory/2640-52-0x0000000001070000-0x00000000012C5000-memory.dmp

Filesize
2.3MB

Download
memory/2640-26-0x0000000001070000-0x00000000012C5000-memory.dmp

Filesize
2.3MB

Download
memory/2856-105-0x00000000001C0000-0x0000000000455000-memory.dmp

Filesize
2.6MB

Download
memory/2856-72-0x00000000001C0000-0x0000000000455000-memory.dmp

Filesize
2.6MB

Download